PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Mitigating Malware Collin Jackson CS142 – Winter 2009.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
Computer Security and Penetration Testing
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
March Intensive: XSS Exploits
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Prevent Cross-Site Scripting (XSS) attack
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
AJAX Without the “J” George Lawniczak. What is Ajax?
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko Cross-Site-Request-Forgery.
JSProxy: Safety from Javascript Benjamin Prosnitz, Tang Yi, Yinzhi Cao.
I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.
Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14.
 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Cross-Site Attacks James Walden Northern Kentucky University.
1 © Netskills Quality Internet Training, University of Newcastle HTML Forms © Netskills, Quality Internet Training, University of Newcastle Netskills is.
SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Cross Site Scripting and its Issues By Odion Oisamoje.
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.
Module 7: Advanced Application and Web Filtering.
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Spectator: Detection and Containment of JavaScriptWorms
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
Cookies Lack Integrity: Real-World Implications
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.
SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
XSS 101 Jason Clark 12/20.
Javascript worms By Benjamin Mossé SecPro
Internet Quarantine: Requirements for Containing Self-Propagating Code
Building Secure ColdFusion Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Cross-Site Request Forgeries: Exploitation and Prevention
Automatic and Precise Client-Side Protection against CSRF Attacks
Riding Someone Else’s Wave with CSRF
Exploring DOM-Based Cross Site Attacks
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and Yan Chen § § Northwestern Lab for Internet and Security Technology, Northwestern University, Evanston, IL † SRI International, Menlo Park, CA 1

Social web networks – Platforms where people share their perspectives, opinions, thoughts and experiences – OSNs, Blogs, Social bookmarking etc. XSS worm threat is severe. – First worm: MySpace Samy (2005) – More and more prevalent: Renren, Yamanner, etc. – Akin to virus: human need to visit infected pages – Characteristic: Fast spreading In this paper, – Target: Prevent XSS worm propagation – Method: View separation & Request authentication Introduction Number of infected clients after 20 hours (Social Networks’ XSS Worms, Faghani et al.) 2

Roadmap Introduction Background – Attack Steps – XSS Taxonomy Related Work Our Approach Implementation Evaluation 3

Background Step 1 – Enticement and Exploitation Step 2 – Privilege Escalation Step 3 – Replication Step 4 – Propagation Download Modify benign user’s account Get infected Benign User Samy’s page Repeat Process Other Users 4

XSS Attacks Server-side XSS Content Sniffing XSS Stored XSS Reflected XSS Client-side XSS Plugin XSS DOM-based XSS Flash XSS Java XSS MySpace Samy Worm Yamanner Worm Renren Worm SpaceFlash Worm Our Experimental Worm XSS Taxonomy 5

Related Work Group one: Prevent XSS vulnerabilities – Incomplete coverage (BluePrint, Plug-in Patches, Barth et al., and Saxena et al.) Group two: Prevent XSS worms – No early-stage prevention (Spectator and Xu et al.) – Not resistant to polymorphic worm (Sun et al.) Our goal: Prevent all the XSS worms with early-stage prevention and resistance to polymorphic worms 6

Our Approach Two key concepts: (1) request authentication and (2) view separation Download Samy’s page Modify benign user’s account Benign User Access We use request authentication. View separation is always enforced. 7

For example, blog A, blog B, blog C and so on. Or more fine-grained, different pages in the same blog. Isolating contents from the same origin – iframe tag with sandbox properties in HTML5 – Pseudodomain encapsulation (mentioned later) View Separation View OneView Two 8

Request Authentication For example, requests from blog A does not have permissions to modify blog B Identifying which view a client-side request is from. – Secret token – Referer header Check if the view has the permission 9

Our Approach Download View One Modify benign user’s account Benign User Access View one does not have the permission. Isolating views at client side. View Two Identify that it is from View One. If we cannot identify, deny. 10

Roadmap Introduction Background Related Work Our Approach Implementation – Implementation One (Server Modification) – Implementation Two (Proxy) Evaluation – Case Study of Five Real-world Worms and Two Experimental Worms (only two covered in the talk) – Performance 11

Implementation One (Server Modification) Prototype examples: WordPress, Elgg Dividing views: by blogs Permissions for different views: can only modify its own blog. 12

View Isolation for Server Modification Isolating views at client side. – Pseudodomain encapsulation. isolate.x.com content.x.com isolate.x.com content.x.com attacker content.x.com It cannot break isolate.x.com (different origin). Secret token is required. 13

Request Authentication for Server Modification Identifying requests from client-side – Secret token Insertion position: Each request that will modify server- side contents. Checking requests’ permission – Checking position: Database operation. (A narrow interface that each modifying request will go through.) 14

Implementation Two (Proxy) Dividing views: by different client-side URLs. Permissions for different views: – Possible outgoing post URL from those URLs 15

View Isolation for Proxy Isolating views at client side – The same as implementation one. Request content.x.com/y.php isolate.x.com <iframe src = “content.x.com/y.php?t oken = *** isolate.x.com content.x.com Proxy Web Server Redirect to isolate.x.com 16

Request Authentication for Proxy Identifying requests from client-side – Referer header Specified by the browser. Attackers cannot change it. Checking requests’ permissions – Checking position: Proxy. – Method: See if the view has the permission to send the request. 17

Case Study for Real World Worms XSS Worm in Renren (Facebook in China) Flash insert malicious scripts inside the web page Share on the behalf of current user 18

share View One View Two click Request to share 19

Yamanner Worm Click Send s to all your contacts 20

Compose body Different views Send 21

Memory Overhead – Normally, # of frames is not high since comments can be hidden. Rendering Time Overhead. – Less than 3.5% for Elgg Evaluation 22

Conclusions We cut off the propagation path of XSS worms through view separation by psuedodomain encapsulation and request authentication. We implement PathCutter by proxy assistance and server modification. We evaluate PathCutter on 5 real-world worms and 2 proof-of-concept worms. 23

Thanks! Questions? 24

Backup 25

Comparison with Existing Works Spectator Sun et al. Xu et al. BluePrint Plug-in Patches Barth et al. Saxena et al. PathCutter Blocking Step Polymorphic WormYes No Yes Early-Stage PreventionNoYesNo Yes Types of XSS that Can Be DefendedAll Passively Observable Worms Traditional Server-side XSS Worms Plug-in XSS Worms Content Sniffing XSS Worms DOM-Based XSS WormsAll Deployment Server or ProxyClientServer Client Server or Proxy Passive/Active MonitoringActivePassive Active Group One: Mitigating XSSGroup Two: Worm prevention 26

Limitation Need to know the semantics of web application Only prevent worm behavior but not all the damages 27

Existing solutions Spectator … if it reaches a threshold, report it. the same injected tag proxy But it can only detect the worm when it spreads for a while! 28

Existing solutions Esorics 09 Firefox Plugin malicious benign Payload: abcdefg The same payload Deny! But (1) Payload may change. (2) Pure client-side solution. 29

URL graph provided by the server or a third-party blogX/index.php blogX/post-comment.php blogX/options.php blogX/update- options.php blogX/x.php … blogY/index.php 30

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.